----- Original Message ----- From: "Nicholas Weaver" <[email protected]> To: "George Barwood" <[email protected]> Cc: "Nicholas Weaver" <[email protected]>; "Matt Larson" <[email protected]>; <[email protected]> Sent: Friday, March 19, 2010 12:33 PM Subject: Re: [DNSOP] Should root-servers.net be signed
>On Mar 19, 2010, at 12:21 AM, George Barwood wrote: >> I suggest the default value in BIND for max-udp-size should be 1450. >> This appears to be best practice. >> Since few zones are currently signed, it's not too late to make this change. >> Later on it may be more difficult. >Actually, I'd say this ONLY for the root and TLDs. For the rest, the onus >should be on the resolver to discover that it can't handle fragmentation and >>adjust the MTU appropriately. There are advantages besides messages being lost. It also prevents spoofing of fragments, and limits amplification attacks. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
